Hospital staff may unknowingly subject the hospital network to a variety of Web-based threats. These tips will help you mitigate the risks.

By Fred Touchette T

Fred Touchette is senior security analyst at AppRiver. For more information on AppRiver: www.appriver.com

oday, as the use of mobile devices like iPhones and BlackBerrys increases on the job, so does easy access to social networking sites, such as Twitter, Facebook and LinkedIn. As a result of this easy access, hospital staff may unknowingly subject the hospital network to a variety of Web-based threats, including malware, viruses, Trojans and worms. What’s worse, a new device made available to help hospitals enhance patient tracking and medicine/drug administration is likely operating on the same network as that of mobile devices carried around by hospital staff, thus putting patients’ care and their records at risk. Mobile device and social networking usage at work, without appropriate security policy and enforce- ment measures in place, can open the network to an array of potentially damag- ing security situations. Research has shown that

IT security is considerably underfunded within the healthcare industry, yet many new security regulations are now required. The benefi ts of establishing a social networking policy, along with providing key informa- tion to enhance employee education, can be used to establish a safe and effective use of social network- ing technologies within the healthcare organization, while ensuring the security of the hospital network as a whole.

Unfortunately, there are no easy answers. Here are the top tips for healthcare compliance professionals to keep in mind when working to ensure that the appropri- ate security precautions are in place for staff members who utilize social networking sites. Understand the defi nition of “social networking.” Although a good fi rst step, it’s not enough to say you have a social networking policy in place. You need to ensure that all staff members understand the defi nition of social networking and how it applies to Facebook, MySpace, Twitter, SMS and MMS texting and other

32 November 2010

popular technologies. This comprehension of social networking is key because it will help to enhance the security of the hospital network, especially as more doctors and staff members utilize mobile devices to take notes or access patient information on the go. Examine the ways social networking coexists within the healthcare arena today. There are some clear benefi ts to utilizing various forms of social network- ing within the healthcare industry, especially when it comes to effi cient note taking. Sometimes, sharing information with other doctors via SMS or MMS texting is an effi cient way to access a “brain trust” of sorts to diagnose a patient in a faster timeframe. These mobile devices, however, should be managed as part of the social networking policy to be certain that they do not include stored personal information about the doctor or hospital. This will be important to ensure compliance with HIPAA regulations. Identify the risks and benefi ts of utilizing social networking technology within the healthcare industry. Similar to the defi nition of social networking, the risks and benefi ts should be clearly stated and explained for all hospital staff. Additionally, by highlighting the link between the technology and regulatory environment, you can help your organization remain compliant with HIPAA, among other federal regulations. Share real-world examples. At the next company- wide meeting, or through various forms of information- share at the hospital, highlight examples of how easy it is to misuse social networking. It will be important to emphasize the consequences associated with the misuse of social networking, some of which can come in the form of signifi cant fi nes or potential termination, to name a few.

As any good doctor would say, “prevention is always the best medicine.” A healthcare organization can main- tain sound security by developing – and following – a comprehensive set of policies and using appropriate solutions when possible.